The following sections describe the contents and organization of this guide—Programming WebLogic Security:
This document explains how to use the WebLogic Server security programming features.
See Related Information for a description of other WebLogic Server security documentation.
This document is intended for the following audiences:
Java programmers who focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs). They work with other engineering, Quality Assurance (QA), and database teams to implement security features. Application developers have in-depth/working knowledge of Java (including Java Platform, Enterprise Edition (Java EE) Version 5 components such as servlets/JSPs and JSEE) and Java security.
Application developers use the WebLogic security and Java 2 security application programming interfaces (APIs) to secure their applications. Therefore, this document provides instructions for using those APIs for securing Web applications, Java applications, and Enterprise JavaBeans (EJBs).
Developers who focus on defining the system architecture and infrastructure for security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. They work with application architects to ensure that the security architecture is implemented according to design and that no security holes are introduced. They also work with WebLogic Server administrators to ensure that security is properly configured. Security developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX), and working knowledge of WebLogic Server and security provider functionality.
Security developers use the Security Service Provider Interfaces (SSPIs) to develop custom security providers for use with WebLogic Server. This document does not address this task; for information on how to use the SSPIs to develop custom security providers, see Developing Security Providers for WebLogic Server.
Administrators who work closely with application architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. WebLogic Server administrators have in-depth knowledge of the Java security architecture, including Web application and EJB security, Public Key security, and SSL.
Administrators who work with WebLogic Server administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.
While administrators typically use the Administration Console to deploy, configure, and manage applications when they put the applications into production, application developers may also use the Administration Console to test their applications before they are put into production. At a minimum, testing requires that applications be deployed and configured. This document does not cover some aspects of administration as it relates to security, rather, it references Securing WebLogic Server, Securing WebLogic Resources Using Roles and Policies, and Administration Console Online Help for descriptions of how to use the Administration Console to perform security tasks.
This document is organized as follows:
weblogic.securitypackages in which APIs have been deprecated.
|Note:||This document does not supply detailed information for developers who want to write custom security providers for use with WebLogic Server. For information on developing custom security providers, see Developing Security Providers for WebLogic Server.|
In addition to this document, Programming WebLogic Security, the following documents provide information on the WebLogic Security Service:
In addition to the documents listed in Related Information, BEA Systems provides a variety of code samples for developers.
WebLogic Server optionally installs API code examples in
WL_HOME is the top-level directory of your WebLogic Server installation. You can start the examples server, and obtain information about the samples and how to run them from the WebLogic Server Start menu.
The following examples illustrate WebLogic security features:
The security tasks and code examples provided in this document assume that you are using the WebLogic security providers that are included in the WebLogic Server distribution, not custom security providers. The usage of the WebLogic security APIs does not change if you elect to use custom security providers, however, the management procedures of your custom security providers may be different.
|Note:||This document does not provide comprehensive instructions on how to configure WebLogic Security providers or custom security providers. For information on configuring WebLogic security providers and custom security providers, see Securing WebLogic Server.|
Additional API examples are available for download at
.zip files that you can unzip into an existing WebLogic Server samples directory structure.
You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information.
For this manual, there are no significant new or changed features for version 10.0 of WebLogic Server.